Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Agora: Trust Less and Open More in Verification for Confidential Computing

Hongbo Chen, Quan Zhou, Sen Yang, Xing Han, Fan Zhang, Danfeng Zhang, Xiaofeng Wang

TL;DR

Agora tackles the tension between open, trustworthy binary verification and small trusted computing bases by offloading heavyweight program analysis to untrusted parties and keeping a lightweight validator in the TCB. It combines a Binary Verifier (BV) with a blockchain-backed Bounty Task Manager (BTM) and a policy-assertion language to support multiple security policies (e.g., SFI, IFC, LVI) while preserving auditability. The approach reduces TCB size, enables crowdsourced theorem proving via smart contracts, and provides verifiable evidence of verification results through a tamper-evident ledger, offering practical scalability for confidential computing on the cloud. The evaluation shows favorable TCB size compared with existing tools, competitive verification performance for SFI/IFC/LVI, and a cost model indicating viable deployment with blockchain and TEEs.

Abstract

Binary verification plays a pivotal role in software security, yet building a verification service that is both open and trustworthy poses a formidable challenge. In this paper, we introduce a novel binary verification service, AGORA, scrupulously designed to overcome the challenge. At the heart of this approach lies a strategic insight: certain tasks can be delegated to untrusted entities, while the corresponding validators are securely housed within the trusted computing base (TCB). AGORA can validate untrusted assertions generated for versatile policies. Through a novel blockchain-based bounty task manager, it also utilizes crowdsourcing to remove trust in theorem provers. These synergistic techniques successfully ameliorate the TCB size burden associated with two procedures: binary analysis and theorem proving. The design of AGORA allows untrusted parties to participate in these complex processes. Moreover, based on running the optimized TCB within trusted execution environments and recording the verification process on a blockchain, the public can audit the correctness of verification results. By implementing verification workflows for software-based fault isolation policy and side-channel mitigation, our evaluation demonstrates the efficacy of AGORA.

Agora: Trust Less and Open More in Verification for Confidential Computing

TL;DR

Agora tackles the tension between open, trustworthy binary verification and small trusted computing bases by offloading heavyweight program analysis to untrusted parties and keeping a lightweight validator in the TCB. It combines a Binary Verifier (BV) with a blockchain-backed Bounty Task Manager (BTM) and a policy-assertion language to support multiple security policies (e.g., SFI, IFC, LVI) while preserving auditability. The approach reduces TCB size, enables crowdsourced theorem proving via smart contracts, and provides verifiable evidence of verification results through a tamper-evident ledger, offering practical scalability for confidential computing on the cloud. The evaluation shows favorable TCB size compared with existing tools, competitive verification performance for SFI/IFC/LVI, and a cost model indicating viable deployment with blockchain and TEEs.

Abstract

Binary verification plays a pivotal role in software security, yet building a verification service that is both open and trustworthy poses a formidable challenge. In this paper, we introduce a novel binary verification service, AGORA, scrupulously designed to overcome the challenge. At the heart of this approach lies a strategic insight: certain tasks can be delegated to untrusted entities, while the corresponding validators are securely housed within the trusted computing base (TCB). AGORA can validate untrusted assertions generated for versatile policies. Through a novel blockchain-based bounty task manager, it also utilizes crowdsourcing to remove trust in theorem provers. These synergistic techniques successfully ameliorate the TCB size burden associated with two procedures: binary analysis and theorem proving. The design of AGORA allows untrusted parties to participate in these complex processes. Moreover, based on running the optimized TCB within trusted execution environments and recording the verification process on a blockchain, the public can audit the correctness of verification results. By implementing verification workflows for software-based fault isolation policy and side-channel mitigation, our evaluation demonstrates the efficacy of AGORA.
Paper Structure (37 sections, 13 equations, 10 figures, 1 table)

This paper contains 37 sections, 13 equations, 10 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Related Work
  4. System Overview
  5. Binary Verification
  6. Policy Specification and Proof Obligation
  7. Code Preprocessing
  8. Assertion Language
  9. Assertion Validation
  10. Satisfiability Check
  11. Case Study
  12. Verifying SFI
  13. Memory Access Safety
  14. Control-flow Integrity
  15. Verifying Information Flow Safety
  16. ...and 22 more sections

Figures (10)

  • Figure 1: System architecture of Agora.
  • Figure 2: Overview of the Binary Verifier's workflow.
  • Figure 3: Agora's assertion grammar.
  • Figure 4: Illustration of ConfLLVM's workflow.
  • Figure 5: BTM Workflow for $\forall$-quantified policies.
  • ...and 5 more figures